International Law Protections Against Cyber Operations Targeting the Health Care Sector

This feature was originally published on EJIL: Talk! and cross-posted on Just Security and Opinio Juris

Many have recently written about the application of international law in cyberspace and to the global COVID-19 pandemic, but relatively few have examined the intersection between these two areas. Notwithstanding that oversight, recent weeks have seen cyberattacks on organizations at the frontline of the response to the COVID-19 pandemic, including malicious cyber operations against the World Health Organizationmedical providersresearch institutespharmaceutical manufacturershospitals and hospital networks. In response to these attacks, the European Union issued a statement in which “the European Union and its Member States call[ed] upon every country to exercise due diligence and take appropriate actions against actors conducting such activities from its territory, consistent with international law”. Twelve other countries aligned themselves with this declaration. In late March, three authors from the International Committee of the Red Cross (ICRC), writing in their personal capacities, examined the international law protections prohibiting cyberattacks against medical facilities during the pandemic.

These events triggered a two-day virtual workshop at the University of Oxford—co-sponsored by the Oxford Institute for Ethics, Law and Armed Conflict (ELAC) at the Blavatnik School of Government, Microsoft, and the Government of Japan—to discuss these issues.  On Friday, May 22, 2020, Estonia, as President of the United Nations Security Council, is planning an Arria-Formula meeting of the Council to discuss responsible state behavior in cyberspace, including the international legal protections accorded to healthcare. 

Because of the urgency of the current moment, the participants in the Oxford Workshop agreed upon the Oxford Statement below, regarding relevant international law rules and principles relating to malicious cyber operations targeting healthcare facilities. The Statement’s aim is not to cover all applicable principles of international law, but rather, to articulate a short list of consensus protections that apply under existing international law to cyber operations targeting the health care sector. 

The Oxford Statement was opened for signature by international law scholars, and remains open for signature. The Oxford Statement has been transmitted to participants in the May 22, 2020 Security Council meeting in hopes that it will promote discussion and spur clarification of the international law rules in this area. 

International law has always been disaster-driven. Deliberate targeting of medical facilities during armed conflict has been called “at once morally indefensible and categorically illegal.” The present crisis presents a rare window for making this point of law explicit and unambiguous: in real and virtual space, in times of war and peace. The UN Security Council is finally giving this matter its attention. Global crises create unique opportunities for international lawmaking. International lawyers should not waste this moment.

Read the Oxford Statement on the International Law Protections Against Cyber Operations Targeting the Health Care Sector.